Passport snooping raises alarm
Lawmakers consider whether additional legislation is needed to safeguard data
The revelations that three contractors and a State Department employee snooped into the passport files of the presidential candidates prompted new calls from lawmakers for more federal regulations centered on data security breaches.
Meanwhile, officials say unauthorized access to private or classified information is a significant and recurring problem.
Thieves stole a laptop computer containing information on clinical trial participants from the trunk of a National Institutes of Health employee’s car in February.
The Veterans Affairs Department, Agriculture Department and other federal agencies have also reported security incidents involving data loss.
At the State Department, an automated system detected the unauthorized passport file access, but senior officials said they learned of the incidents only when a reporter called to inquire.
State officials said that “imprudent curiosity” caused the security incidents.
Anyone gaining access to passport records who did not have a need to do so would violate the 1974 Privacy Act. Personal information stored in federal databases is protected under that law.
The department uses a need-to-know standard in determining whether someone is authorized to view personal information, said Patrick Kennedy, undersecretary for management. However, some lawmakers argue that might not be sufficient.
Lawmakers on the Senate Judiciary Committee are pressing Senate leaders to take up legislation that would tighten oversight of government contractors who handle personal information and strengthen requirements for reporting data breaches.
Currently, Office of Management and Budget policy requires agencies to report all incidents that potentially involve personally identifiable information to the Homeland Security Department’s U.S.
Computer Emergency Readiness Team within an hour of discovery. Also, a May 2007 memo from OMB requires agencies to create policies on data breaches and identify corrective actions.
According to OMB’s 2007 report to Congress on implementing the Federal Information Security Management Act, USCERT received more than seven times the number of “unauthorized access” cybersecurity incident reports in fiscal 2007 than it did in fiscal 2005. Reports categorized as “improper usage” quintupled during that same time period. Both spikes are credited to increases in reports for incidents where personally identifiable information potentially had been revealed. Overall, security incidents reported to US-CERT more than tripled during that three-year span.
“A week does not go by without reports of personal data privacy breaches,” Sens. Patrick Leahy (D-Vt.) and Arlen Specter (RPa.) wrote March 25 in a letter to Senate leaders urging passage of their legislation, the Personal Data Privacy and Security Act. “The legislation would provide protections for consumers, including a requirement for timely notification of data security breaches,” they wrote. The bill would require that government contractors safeguard sensitive personal data, such as the passport information that workers improperly viewed.
About 40 states have data breach notification laws on the books, said Lisa Sotto, head of the privacy and information management practice at law firm Hunton and Williams and an expert on privacy and data security. In the private sector, the culprits behind unauthorized data access are often those who have some degree of legitimate access, as was the case at State, Sotto said.
“I think it’s fair to say that employees are always curious,” Sotto added. “A very significant number of data breaches are committed by employees, contractors and third-party vendors, and that makes sense because they have authorized access to systems but not necessarily authorized access to certain data, or they simply ought to not be looking at certain data. ”
The passport file doesn’t record travel information. However, it does store personal information that people submit when they apply for a passport. Federal agencies that have agreements with the State Department can access the datatabase. In addition, Interpol and some foreign governments have data-sharing arrangements that allow for automated checking of lost, stolen or otherwise invalid passport records.
Sean McCormack, a State spokesman, said the breach’s discovery showed that the department’s detection system worked.
However, the discovery should have been passed on to the department’s top officials immediately, he added.
Two of the fired employees were subcontractors to Stanley. Stanley officials said the company fired the workers the day the unauthorized search occurred. The company said it plans to fully comply with any government investigation.
The way the incident was handled was probably typical, said Jonathan Aronie, an attorney at law firm Sheppard Mullin and a Federal Computer Week columnist. Prime contractors usually handle conduct issues involving subcontractors.
Stanley has received several contracts to process passport applications. The company oversees passport printing, quality control and mailing operations at 18 processing sites nationwide. In the Office of Passport Services, government employees are solely responsible for adjudicating passport applications, while contractors perform many associated duties, including customer service, data entry, and printing and mailing of travel documents.
As contractors play a larger role in the federal government, Office of Federal Procurement Policy guidelines for determining which government tasks cannot be performed by contractors are expected to spur continuing debate in Congress.
Ben Bain is a reporter for Federal Computer Week.